2 hours 23 minutes
Hello and welcome to this I t Security policy training from Sai Berry. We're continuing with module to the unique user policy.
My name is Troy Lemaire.
The learning objective for this policy is unique. User log in i D
auditing and network access form.
We're gonna use another template from health i t dot gov
Again, your major,
um categories. Aaron, here, your review and your purpose. Purpose is to ensure accountability of all users that access
networks and network devices.
Scope is the policy applies to all company employees and affiliates
and getting into the meat of the policy
individual user shove, have unique long and ideas and passwords and access control system shall identify each user and prevent unauthorized access.
You are unauthorized users from entering or using information. Resource is
basically every user should always have their own. I d.
You don't want to have a situation where you have users that are sharing i. D s
is What can happen is
when a shared idea eyes used by two different users. If something happens in the system that you need to be able to track or some type of legal action happens or a regulatory action happens
then at that point, you have a hard time distinguishing who actually took the action or did the action in the system because it's shared between users.
But you don't want him to be able to share. You want to be able to give information about their use ideas to another user. And you wanna put that in the policy to make sure that reinforce
security requirements are used. Identification include each user shall be assigned a unique identify. Her
usually shall be responsible for the use and misuse of their individual log on I. D. S.
All your long and ideas are audited at least twice yearly. So this is something that's highlight because you need to specify how often you wanna audit these Log in I d. S.
Then all inactive log in I. D. S are revoked. You don't wanna have log in i. D. S that for prior employees that are no longer in the system because that
tends to allow somebody who's not supposed to be using that I d to be able to get in under that name
practice Human resource department notifies the Security Office are appropriate personnel Upon the departure of all employees and contractors at which time, long and ideas are revoked. So you want to change this for whatever your processes, whatever your HR department does to notify the I T department that employees no longer there. You want to designate that in this description
and then explain how it's going to be revoked.
Log in ideas locked revoked that after a maximum of three unsuccessful log in attempts, which then require the password to be reset by the appropriate administrator,
again highlighted for three unsuccessful Loggains
because in some cases what will happen. What will happen is is three times is what you might have, but you might have it only two times
on certain systems are five times on other systems, depending on the security of the system.
And then they talk about the past where it has to be reset. In some situations you don't need three. Set a password. What will happen is that account needs to be enabled again after it is disable are locked
by the system. After three unsuccessful attempts.
Uses who desire to obtain access to systems must have a completed and signed network access. More
war must be signed by the supervisor department head of each user requesting access.
So basically, you wanna have a procedure in place where there is documentation
that this user I d for this employee is being requested and you want that request to come from a higher authority than that user. So a supervisor or a manager should have some type of sign off that says Yes, I am granting an approving the ability for this user to obtain
access to the systems. And that way you have a tracking mechanism to make sure that
it is done in a way that is secure
and it's always policy compliance.
Verification from the compliance department are the i T department is gonna be used in various methods. Exceptions to the policy must be approved in advance.
And if you violate, the policy could be subject to disciplinary action.
So in today's brief lecture, we discussed the unique user policy unique user log in i D. The auditing and the network Access for
a recap question on unique user policy.
User shall be responsible for the blank and blank of their individual log on I D.
And that would be for the use and misuse of their individual log in i d.
Another recap question. Who should sign a network access form?
And this would be a supervisor or manager
basically anybody in authority over that position to give the approval needed
for that access that is being requested.
And our next lecture will look at
password management. Still, part of general policies,
if you have any questions in the clarification, is always cyber message. My user name is at Troy Lemaire
and thank you for attending this cyber very training.